MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b6fb9eac1ea52e013bfb4061a1232fe0d145bc9e260df9bd0d76b1a31be78bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b6fb9eac1ea52e013bfb4061a1232fe0d145bc9e260df9bd0d76b1a31be78bf
SHA3-384 hash: 54838bc3b2b1cb436eafe4acd9cf9a8c73fee2693155c20482d3d9012aeea26f2998fecbeea73ccdcd7696f5aaa23fe4
SHA1 hash: c9d5a770db875676f3ea062bbc6de83d4d8b5c2e
MD5 hash: 37bfff255b323160a222c6573121a826
humanhash: video-ten-fourteen-emma
File name:order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:748'032 bytes
First seen:2021-09-12 12:59:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82370a24b9c73cf4d64f411275d30e40 (2 x Formbook)
ssdeep 12288:TRuJxR+RWGfhP1FBZE0Dfe4jy7sijVa4nB40lRS/HqJ:TE6P5dZ9fzjARa4B45v6
Threatray 9'331 similar samples on MalwareBazaar
TLSH T12BF45AA991C34C6BF1128A3D9F86DFE4A82B7E410469DE820EA53DEF433B55D741D0E2
dhash icon b0b03a343630b8c0 (8 x RemcosRAT, 2 x BitRAT, 2 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab.exe
Verdict:
Malicious activity
Analysis date:
2021-09-12 03:24:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e715bb5-4709-4b97-b600-5d9bfccecaf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187135/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Deleting a system file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/6174f7bb9a5a1e91c5d1f641/reports/28d53e27-9799-43da-bc3b-05621b8416f7/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7903a059-d32e-4c65-9242-0787c58db6d0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849346
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481775 Sample: order.exe Startdate: 12/09/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 3 other signatures 2->36 10 order.exe 15 2->10         started        process3 dnsIp4 26 cdn.discordapp.com 162.159.133.233, 443, 49793, 49794 CLOUDFLARENETUS United States 10->26 28 192.168.2.1 unknown unknown 10->28 44 Writes to foreign memory regions 10->44 46 Allocates memory in foreign processes 10->46 48 Creates a thread in another existing process (thread injection) 10->48 50 Injects a PE file into a foreign processes 10->50 14 DpiScaling.exe 10->14         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 14->52 54 Maps a DLL or memory area into another process 14->54 56 Sample uses process hollowing technique 14->56 58 2 other signatures 14->58 17 explorer.exe 14->17 injected process8 process9 19 wscript.exe 17->19         started        signatures10 38 Modifies the context of a thread in another process (thread injection) 19->38 40 Maps a DLL or memory area into another process 19->40 42 Tries to detect virtualization through RDTSC time measurements 19->42 22 cmd.exe 1 19->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b6fb9eac1ea52e013bfb4061a1232fe0d145bc9e260df9bd0d76b1a31be78bf/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 21:43:24 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnx3t2wb5jjoae57wqdbuers7ygriw6j4jqn7g6q25vrumn6pc7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
1ab52bac5850518b5e948ea170b9d5b9f7e2aca962e4ed99d171085cdf970e19
Formbook
48d7ee8524b6c594ee30967ffa0b0c651ff0ea54162aa142e13fcd9c9a577125
Formbook
5bcba2a09d8758ca07490dfcd3859a64b3a0092ed7873a707e73346eefd4235e
Formbook
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
Formbook
75eef833ff0c8434f8b093e781b54b3d33c0555613ffe75e05fa6c5bec70a77d
Formbook
7b31e4beaeb3665a7e4d0575c0ace2d8d025cdca733d5ad293ee3506918cdde5
Formbook
87ad57ffa31e9b3481663bd81249ec1e563dc2931bb4bb2045b06ea7917f1593
Formbook
8d77ac5e45a0f443b317f1a717dffd55e98319508cc05080ea006b5fcc93c78a
Formbook
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
Formbook
+ 9'321 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:angp loader rat suricata
Link:
https://tria.ge/reports/210912-p8nmwsfcdm/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.cartoonuniversetr.com/angp/
Unpacked files
SH256 hash:
4b6fb9eac1ea52e013bfb4061a1232fe0d145bc9e260df9bd0d76b1a31be78bf
MD5 hash:
37bfff255b323160a222c6573121a826
SHA1 hash:
c9d5a770db875676f3ea062bbc6de83d4d8b5c2e
Link:
https://www.unpac.me/results/6bbce35a-4641-4e81-84ef-a5a8ea312496/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4b6fb9eac1ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187135/

Comments